Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add letsencrypt to Gitea #4189

Merged
merged 34 commits into from Aug 21, 2018
Merged

add letsencrypt to Gitea #4189

merged 34 commits into from Aug 21, 2018

Conversation

ghost
Copy link

@ghost ghost commented Jun 8, 2018

Fix #1167

@techknowlogick
Copy link
Member

techknowlogick commented Jun 8, 2018

Go 1.9 added the math/bits package which is why the one golang step failed. Why is the one drone step at 1.8 and the rest 1.10?

Edit: This isn't feedback on this PR, it's just a thought.

@bkcsoft bkcsoft added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jun 8, 2018
@techknowlogick techknowlogick added the type/feature Completely new functionality. Can only be merged if feature freeze is not active. label Jun 8, 2018
@techknowlogick techknowlogick added this to the 1.6.0 milestone Jun 8, 2018
@ghost
Copy link
Author

ghost commented Jun 8, 2018

@techknowlogick its ok. I used most recent crypto lib, but I downgraded to right before 1.9 is needed. Now it looks like build is working.

@codecov-io
Copy link

codecov-io commented Jun 8, 2018

Codecov Report

Merging #4189 into master will increase coverage by <.01%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##           master   #4189      +/-   ##
=========================================
+ Coverage   20.69%   20.7%   +<.01%     
=========================================
  Files         167     167              
  Lines       32374   32374              
=========================================
+ Hits         6699    6702       +3     
+ Misses      24693   24691       -2     
+ Partials      982     981       -1
Impacted Files Coverage Δ
modules/process/manager.go 73.91% <0%> (+4.34%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6c1a31f...3d84f1f. Read the comment docs.

@@ -82,7 +82,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.

## Server (`server`)

- `PROTOCOL`: **http**: \[http, https, fcgi, unix\]
- `PROTOCOL`: **http**: \[http, https, fcgi, unix, letsencrypt\]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then if you use letsencrypt you should set up the DOMAIN correctly.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

cmd/web.go Outdated
certManager := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist(domain),
Cache: autocert.DirCache("https"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this directory should come from app.ini file

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also I think there should be option to specify Email that will be used by letsencrypt registration

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated with your changes

cmd/web.go Outdated
Cache: autocert.DirCache(directory),
Email: email,
}
go http.ListenAndServe(":80", certManager.HTTPHandler(nil)) // all traffic coming into HTTP will be redirect to HTTPS automatically
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this also only listen on listenAddr ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for the HTTP validation that LetsEncrypt does, their servers need to be able to access port 80 on the server requesting the certificate.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you should just write :http

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@flufmonster yes but listening only on listenAddr+":80" should be enough since it will be the facing interface also for web access. If I remember listenAddr is by default 0.0.0.0 so by default we have the same comportment but if someone want to listen only to one interface via configuring listenAddr we shouldn't listen on all interface even for LE.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @sapk I've updated this so it only listens on listenAddr instead of 0.0.0.0

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be handled in same code as http to https functionality already built into gitea

cmd/web.go Outdated
go http.ListenAndServe(":80", certManager.HTTPHandler(nil)) // all traffic coming into HTTP will be redirect to HTTPS automatically
// required for letsencrypt validation
server := &http.Server{
Addr: listenAddr,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK Let's Encrypt enforces port 443

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's Encrypt only enforces a port when requesting the certificate.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HTTP port is not really required, the autocert HTTP handler does only a simple redirect to HTTPS, so this port 443 is enforced by Let's Encrypt.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HTTP port is required. The HTTP handler doesn't just do a simple redirect it also handles the HTTP-01 validation per the acme standard: https://tools.ietf.org/html/draft-ietf-acme-acme-07#section-8.3 and here is the code https://github.com/golang/crypto/blob/master/acme/autocert/autocert.go#L333

I think what you are thinking of is the TLS-SNI challenge which was disabled permanently due to security issues. A new version of TLS only challenge is being worked on but it is still only being discussed on mailing lists.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right on that, but since you are not defining a fallback handler HTTPS must run on 443: https://github.com/golang/crypto/blob/master/acme/autocert/autocert.go#L323-L326

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've just setup a fallback handler to redirect to AppURL so that the user is redirected to the correct place.

Copy link
Member

@techknowlogick techknowlogick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add documentation to the HTTPS setup page: https://docs.gitea.io/en-us/https-setup/

@bkcsoft bkcsoft added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 19, 2018
@techknowlogick
Copy link
Member

LGTM

@lafriks
Copy link
Member

lafriks commented Jul 21, 2018

I still think it should reuse http->https port if set in app.ini and not enable that redirection functionality as it also does http->https redirection.
Otherwise it is not possible to use it behind nginx proxy as nginx will be one listening on port 80

@techknowlogick
Copy link
Member

@lafriks it already uses the correct https port in redirect, however Letsencrypt must listen on port 80 per acme protocol.

@lafriks
Copy link
Member

lafriks commented Jul 21, 2018

@techknowlogick yes I know but if you want it to use behind nginx you need it to listen to some other localhost port so that you can reverse proxy :80 to gitea http port

@techknowlogick
Copy link
Member

If someone is using it behind nginx then Gitea shouldn't be serving letsencrypt, their reverse proxy should.

@lafriks
Copy link
Member

lafriks commented Jul 21, 2018

How about docker?

@techknowlogick
Copy link
Member

@lafriks ah yes. That makes sense. @flufmonster can you use PORT_TO_REDIRECT setting instead of :http? This way docker users can remap a port >1024 to 80 via docker, and not worry about running Gitea as root for letsencrypt.

@ghost
Copy link
Author

ghost commented Jul 21, 2018

@lafriks @techknowlogick good idea. I just change it.

EnableLetsEncrypt := sec.Key("ENABLE_LETSENCRYPT").MustBool(false)
LetsEncryptTOS := sec.Key("LETSENCRYPT_ACCEPTTOS").MustBool(false)
if !LetsEncryptTOS && EnableLetsEncrypt {
EnableLetsEncrypt = false
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should print at least a warning in this case.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok. added.

@lafriks
Copy link
Member

lafriks commented Jul 26, 2018

If redirect other port is enabled and letsencrypt is also enabled than redirect to other port listener should not be started. Check should be added here: 2b52f77/cmd/web.go#L54
Edit: it will not get to point where it would start other listener so LGTM

@lafriks
Copy link
Member

lafriks commented Jul 26, 2018

@bkcsoft need your approval

@lunny
Copy link
Member

lunny commented Aug 15, 2018

need @daviian 's approval.

@daviian
Copy link
Member

daviian commented Aug 21, 2018

Sorry that it took me so long to approve. Wasn't able to find time sooner.

@techknowlogick techknowlogick merged commit b82c14b into go-gitea:master Aug 21, 2018
aswild added a commit to aswild/gitea that referenced this pull request Oct 24, 2018
Prepare for wild/v1.6 branch

* BREAKING
  * Respect email privacy option in user search via API (go-gitea#4512)
  * Simply remove tidb and deps (go-gitea#3993)
  * Swagger.v1.json template (go-gitea#3572)
* FEATURE
  * Pull request review/approval and comment on code (go-gitea#3748)
  * Added dependencies for issues (go-gitea#2196) (go-gitea#2531)
  * Add the ability to have built in themes in Gitea and provide dark theme arc-green (go-gitea#4198)
  * Add sudo functionality to the API (go-gitea#4809)
  * Add oauth providers via cli (go-gitea#4591)
  * Disable merging a WIP Pull request (go-gitea#4529)
  * Force user to change password (go-gitea#4489)
  * Add letsencrypt to Gitea (go-gitea#4189)
  * Add push webhook support for mirrored repositories (go-gitea#4127)
  * Add csv file render support defaultly (go-gitea#4105)
  * Add Recaptcha functionality to Gitea (go-gitea#4044)
* BUGFIXES
  * Fix release creation via API (go-gitea#5076)
  * Remove links from topics in edit mode  (go-gitea#5026)
  * Fix missing AppSubUrl in few more templates (fixup) (go-gitea#5021)
  * Fix missing AppSubUrl in some templates (go-gitea#5020)
  * Hide outdated comments in file view (go-gitea#5017)
  * Upgrade gopkg.in/testfixtures.v2 (go-gitea#4999)
  * Disable debug routes unless PPROF is enabled in configuration (go-gitea#4995)
  * Fix user menu item styling (go-gitea#4985)
  * Fix layout of the topics editing form (go-gitea#4971)
  * Fix null pointer dereference in ParseCommitWithSignature (go-gitea#4962)
  * Fix url in discord webhook (go-gitea#4953)
  * Detect charset and convert non UTF-8 files for display (go-gitea#4950)
  * Make sure to catch the right error so it is displayed on the UI (go-gitea#4945)
  * Fix(topics): don't redirect to explore page. (go-gitea#4938)
  * Fix bug forget to remove Stopwatch when remove repository (go-gitea#4928)
  * Fix bug when repo remained bare if multiple branches pushed in single push (go-gitea#4923)
  * Fix: Let's Encrypt configuration settings (go-gitea#4911)
  * Fix: Crippled diff (go-gitea#4726) (go-gitea#4900)
  * Fix trimming of markup section names (go-gitea#4863)
  * Issues api allow pulls and fix go-gitea#4832 (go-gitea#4852)
  * Do not autocreate directory for new users/orgs (go-gitea#4828) (go-gitea#4849)
  * Fix redirect with non-ascii branch names (go-gitea#4764) (go-gitea#4810)
  * Fix missing release title in webhook (go-gitea#4783) (go-gitea#4796)
  * User shouldn't be able to approve or reject his/her own PR (go-gitea#4729)
  * Make sure to reset commit count in the cache on mirror syncing (go-gitea#4720)
  * Fixed bug where team with admin privelege type doesn't get any unit  (go-gitea#4719)
  * Fix incorrect caption of webhook setting (go-gitea#4701) (go-gitea#4717)
  * Allow WIP marker to contains < or > (go-gitea#4709)
  * Hide org/create menu item in Dashboard if user has no rights (go-gitea#4678) (go-gitea#4680)
  * Site admin could create repos even MAX_CREATION_LIMIT=0 (go-gitea#4645)
  * Fix custom templates being ignored (go-gitea#4638)
  * Fix starring icon after semantic ui update (go-gitea#4628)
  * Fix Split-View line adjustment (go-gitea#4622)
  * Fix integer constant overflows in tests (go-gitea#4616)
  * Push whitelist now doesn't apply to branch deletion (go-gitea#4601) (go-gitea#4607)
  * Fix bugs when too many IN variables (go-gitea#4594)
  * Fix failure on creating pull request with assignees (go-gitea#4419) (go-gitea#4583)
  * Fix panic issue on update avatar email (go-gitea#4580) (go-gitea#4581)
  * Fix status code label for a successful webhook (go-gitea#4540)
  * An inactive user shouldn't be able to be added as a collaborator (go-gitea#4535)
  * Don't fail silently if trying to add a collaborator twice (go-gitea#4533)
  * Fix incorrect MergeWhitelistTeamIDs check in CanUserMerge function (go-gitea#4519) (go-gitea#4525)
  * Fix out-of-transaction query in removeOrgUser (go-gitea#4521) (go-gitea#4522)
  * Fix migration from older releases (go-gitea#4495)
  * Accept 'Data:' in commit graph (go-gitea#4487)
  * Update xorm to latest version and fix correct `user` table referencing in sql (go-gitea#4473)
  * Relative URLs for LibreJS page (go-gitea#4460)
  * Redirect to correct page after using scratch token (go-gitea#4458)
  * Fix column droping for MSSQL that need new transaction for that (go-gitea#4440)
  * Replace src with raw to fix image paths (go-gitea#4377)
  * Add default merge options when creating new repository (go-gitea#4369)
  * Fix docker build (go-gitea#4358)
  * Fixes repo membership check in API (go-gitea#4341)
  * Dep upgrade mysql lib (go-gitea#4161)
  * Fix some issues with special chars in branch names (go-gitea#3767)
  * Responsive design fixes (go-gitea#4508)
* ENHANCEMENT
  * Fix milestones sorted wrongly (go-gitea#4987)
  * Allow api to create tags for releases if they don't exist (go-gitea#4890)
  * Fix go-gitea#4877 to follow the OpenID Connect Audiences spec (go-gitea#4878)
  * Enforce token on api routes [fixed critical security issue go-gitea#4357] (go-gitea#4840)
  * Update legacy branch and tag URLs in dashboard to new format (go-gitea#4812)
  * Slack webhook channel name cannot be empty or just contain an hashtag (go-gitea#4786)
  * Add whitespace handling to PR-comparsion (go-gitea#4683)
  * Make reverse proxy auth optional (go-gitea#4643)
  * MySQL TLS (go-gitea#4642)
  * Make sure to set PR split view when creating/previewing a pull request  (go-gitea#4617)
  * Log user in after a successful sign up (go-gitea#4615)
  * Fix typo IsPullReuqestBroken -> IsPullRequestBroken (go-gitea#4578)
  * Allow admin toggle forcing a password change for newly created users (go-gitea#4563)
  * Update jQuery to v1.12.4 (go-gitea#4551)
  * Env var GITEA_PUSHER_EMAIL (go-gitea#4516)
  * Feat(repo): support search repository by topic name (go-gitea#4505)
  * Small improvements to dependency UI (go-gitea#4503)
  * Make max commits in graph configurable (go-gitea#4498)
  * Add valid for lfs oid (go-gitea#4461)
  * Add shortcut to save wiki page (go-gitea#4452)
  * Allow administrator to create repository for any organization (go-gitea#4368)
  * Fix repository last updated time update when delete a user who watched the repo (go-gitea#4363)
  * Switch plaintext scratch tokens to use hash instead (go-gitea#4331)
  * Increase default TOTP secret size to 320 bits (go-gitea#4287)
  * Keep preseeded database password (go-gitea#4284)
  * Implemented hover text showing user FullName (go-gitea#4261)
  * Add ability to delete a token (go-gitea#4235)
  * Fix typos in i18n variable names. (go-gitea#4080)
  * Api: repos/search: add parameters to control the sort order (go-gitea#3964)
  * Add missing path in the Docker app.ini template (go-gitea#2181)
  * Add file name and branch to page title (go-gitea#4902)
  * Offline use of google fonts (go-gitea#4872)
  * Add missing History link to directory listings v2 (go-gitea#4829)
  * Locale for Edit and Remove due date issue (go-gitea#4802)
  * Disable 'May Import Local Repository' when is disabled by setting (Is… (go-gitea#4780)
  * API /admin/users/{username} missing parameter (go-gitea#4775)
  * Display error when adding a user to a team twice (go-gitea#4746)
  * Remove UsePrivilegeSeparation from the Docker sshd_config, see go-gitea#2876 (go-gitea#4722)
  * Focus title input when clicking helper link (go-gitea#4696)
  * Add vendor to user reserved words and format words list according alphabet (go-gitea#4685)
  * Add gitea/issues link to 500 page (go-gitea#4654)
  * Hide home button when landing page is not set to home (go-gitea#4651)
  * Remove link to GitHub issues in 404 template (go-gitea#4639)
  * Cmd/serve: pprof cpu and memory profile dumps to disk (go-gitea#4560)
  * Add flash message after an account has been successfully activated (go-gitea#4510)
  * Prevent html entity escaping on delete branch (go-gitea#4471)
  * Locale for button Edit on protected branch (go-gitea#4442)
  * Update notification icon (go-gitea#4343)
  * Added front-end topics validation (go-gitea#4316)
  * Don't display buttons if there are no system notifications (go-gitea#4280)
  * Issue due date api (go-gitea#3890)
* SECURITY
  * Improve URL validation for external wiki  and external issues (go-gitea#4710)
  * Make cookies HttpOnly and obey COOKIE_SECURE flag (go-gitea#4706)
  * Don't disclose emails of all users when sending out emails (go-gitea#4664)
  * Check that repositories can only be migrated to own user or organizations (go-gitea#4366)
* TRANSLATION
  * Fix punctuation in English translation (go-gitea#4958)
  * Fix translation (go-gitea#4355)
@lafriks lafriks added the type/changelog Adds the changelog for a new Gitea version label Nov 10, 2018
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
@delvh delvh removed the type/changelog Adds the changelog for a new Gitea version label Oct 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/feature Completely new functionality. Can only be merged if feature freeze is not active.
Projects
None yet
Development

Successfully merging this pull request may close these issues.